Soumettre #835614: UltraISO Premium Edition Kernel Driver bootpt64.sys 9.76 Local Privilege Escapationinformation

TitreUltraISO Premium Edition Kernel Driver bootpt64.sys 9.76 Local Privilege Escapation
DescriptionUltraISO Premium Edition 9.76 ships the signed kernel driver bootpt64.sys. The driver exposes \\.\BootPart to standard users and allows a caller to mount a selected physical disk range through IOCTL 0x7F300. After the mount succeeds, normal ReadFile and WriteFile operations on the BootPart device are serviced by a raw disk handle opened inside the driver. In the validation below, a standard user at Medium Integrity could not read or write a protected flag file on a temporary VHD and could not open the VHD as \\.\PhysicalDrive1. The same standard user opened \\.\BootPart, mounted disk 1, and read the protected file's NTFS data clusters by raw disk offset. In a separate non-destructive write proof, the same user wrote a marker to an unused sector of a temporary unformatted VHD attached as disk 2; an administrator raw readback from the VHD confirmed the marker. An unprivileged user can exploit arbitrary read/write primitives over protected file resources to achieve local privilege escalation.
La source⚠️ https://winslow1984.com/books/cve-collection/page/ultraiso-premium-976-kernel-driver-bootpt64sys-local-privilege-escalation
Utilisateur
 winslow1984 (UID 79140)
Soumission22/05/2026 07:40 (il y a 2 mois)
Modérer20/06/2026 11:54 (29 days later)
StatutAccepté
Entrée VulDB372528 [Ezbsystems UltraISO Premium Edition jusqu’à 9.76 Kernel Driver bootpt64.sys élévation de privilèges]
Points20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!